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(57) Abstract 

pubomputer system (100) that uses a random access memory (1 02) or equivalent memory to store operating system data and ''persistent" 
data (1 12), i.e., any data stored in the random access memory (102) that is designated to be retained after a system reset, includes a recovery 
boot system that implements a method for recovering the persistent data after a system reset that necessitates re-initialization of the 
random access memory (102) with operating system data. The recovery boot system allocates the random access memory (102) during 
re-initialization such that new memory allocations do not conflict with persistent data (102) allocations made prior to the system reset. 
After fundamental operating system data are initialized, the persistent data (112) are recovered. Thereafter, the remainder of the data to be 
re-initialized can be stored in any available location in the random access memory (102). 
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RECOVERY BOOT PROCESS 
Gregg B. Kellogg 

CROSS— REFERENCE Tn M TCROFTCHB ap pEMnTPPfi 

Appendix A, which is a part of the present 
5 disclosure, i 6 a microfiche appendix consisting of 
3 sheets of microfiche having a total of 154 frames. 
Microfiche Appendix A is a computer program listing of 
boot code for use in one embodiment of this invention, 
which is described more completely below, 
o . Appendix b, which is a part of the present 
disclosure, is a microfiche appendix* consisting of 1 sheet 
of microfiche having a total of 21 frames. Microfiche 
Appendix B is a ROM valid listing defining the data 
structure of a ROM according to one embodiment of this 
15 invention, which is described more completely below. 

A portion of the disclosure of this patent document 
contains material which is subject to copyright 
protection. The copyright owner has no objection to the 
facsimile reproduction by anyone of the patent document or 
20 the patent disclosure, as it appears in the Patent and 
~ Office patent files or records, but otherwise - 

reserves all copyright rights whatsoever. 

BACKGRnnw n pp rmrvvrprr^ 

1. Field of the Invention 
This invention relates, to a computer system including 

a memory and a method for resetting the computer system 
such that pre-existing persistent data stored within th* 
computer system is not destroyed by the system reset. 

2. Related Art 

In computer systems, various events can cause the 
computer operating system to "crash,", disabling the 
computer system. An operating system crash is initiated, 
for example, when the integrity .of certain operating 
system data is compromised. Operating system data can be 



25 



30 



WO 95/12848 



PCT/US94/12567 



~ 2 - 



- ^promised by, for example, an internal software error a 
hardware failure, an application t >4 , , ' a 

an in s ,>^4 • a PPHcation failure associated .with- 

5 S ^ ^ ^y***.^* interaction with. »». . 

and !Tr atin9 ***** iS ^ detection 

"re"f ' ° f ^ err ° r * ^ 0perati "* s * st -' °r by 
on" ° f C ° nPUUr ~ SO ^ ~ ^rther 

the grating system crashes, the colter system must be 

^tial TT ° r ° f C ° apUter 

-xtxalx^d to a state at which user operation of the 

computer system can begin again.. 

The system reset may -be ei *->,*»>- » v „ 
« y De ei ther a hardware reset or a 

After . hardware reset, an bf the colter system 
hardware is re-initia^ed. Mter . soft „ are 

20 i!^ , 3 ^ "^•""9 •yt- *.« is re- 

values. Herem, "primary me^ry d avice" refers to a 
memory device from which the computer systMi 
^ercproceesor generator** Soring operation ofthe 
computer system. Be „ ory ^ 

ul rr* aevioe " suoh - * «* **" « • £ 

-ut. »ft,r both the hardware and software resets, the 
Primary memory device must be re-initialized 

crash D T ,iln9 °". the MtUre ° f * be 
30 r» lt Lf * ° P T tln9 SySteK ^ ^atically 

system reset. User-initiated hardware resets are 

thl ! 1 ^ * tUrnin? the "~ o« and 

«en on aaaxn. Oser-initi.ted sortware resets are 
Really initiated -by pushing a res et button on the 
35 computer system, or on. or more Keys on the keyboard. 
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For most computer systems, a system reset is 
frequently a relatively benign operation that does not 
result m the destruction of any user data. This is 
because user data can be stored on one or more secondary 
5 memory devices, such as a disk drive, that are separate 
from the primary memory device on which the operating 
system is stored. Thus, even though user data is 
typically initially stored on the primary memory device, 
xf the user data has been "permanently" saved to the 
10 secondary memory device, as is frequently the case, 
initiation of a system reset does not destroy user data 
since only the data stored on the primary memory devic is 
reinitialized. Though data in -the secondary memory 
device can also be compromised, existing recovery software 
15 allows restoration of the integrity of such data. 

In contrast, computer systems containing only a 
Primary memory device store user data along with operating 
system data at all times. Computer systems including only 
a primary memory device are desirable because the price of 
20 the computer system is reduced since a secondary memory 
device as not required and slnoe tlghter integratlon of 
hardware components is possible because user data is 
directly available. 

25 i« i T™**' 3 Sl9nificant vith computer systems 

25 including only a primary memory device i s that a system 
reset ^typically causes all user data to be lost when the 
operating system data is re-initialized on the primary 
memory device, m existing methods for re-initialising a 

30 In^ ne r 0ry dCVlCe aft6r 3 T tem reset ' to *- 

30 initian zat ion, all of the primary memory locations are 

Placed on a "free list." The operating system data is 

then stored at any available primary nein ory location. 

Thus, the operating system data may be stored in a primary 

memory location that previously contained user data, 

35 resulting in the destruction of the user data. 
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svst ' At " de6iral *« to provide, i„ a computer 
system, deluding only a primary memory device I system 
and me thod for re-initialising the operating ^Jon the 
primary memory device aff«»r a « 
5 data ev^- • ^ter .a system reset,, such that user 

the system reset. ««-r 



SBMi&RY op 7^ TrTfTTTt?w 

or Ji^r""" Sy " eB a ran4on — «Y 

per«ste„t data, i.e., any iata stored ^ ^ 

«... 4. 016 Mmor y ls not destroyed by 

locations that contain persistent data. 
25 im, ? ^ reC ° Very boot according to the 

operaring system data is stored <*, 

nWa .. B scored in the memory to allow the 

* ernel aaa har * ware — * 

pSL^tT; «• — « recover 

30 L S« tf* — 10 ° a "°" is «*- 

ata „ *• ^ tlle "™«y location is no lonoer 

Each instance of data stored in the memory is 
35 associated with a virtual memory address used by a 
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processor (also part of the computer system) to identify 
the physical memory address of the data and access the 
physical memory location of the data in the memory. Data 
required for translating the virtual memory addresses of 
5 both operating- system data- and persistent data" to physical 
memory addresses are retained, in one embodiment, through 
the system reset. 

After the system reset-, the retained translation data 
are used to map the virtual memory addresses of 
10 fundamental operating system data to physical memory 
addresses, consequently, after* the system reset, 
fundamental operating system- data is stored in the same 
physical memory locations in the memory as before the 
system reset. Thus, re- initialization of the fundamental 
15 operating system data in the memory does not destroy any 
of the persistent data stored in the memory. 

After' memory allocation for the fundamental operating 
system data, i.e., recovery of the fundamental operating 
system data, the persistent data is recovered. During 
20 normal operation of the computer system, the virtual 
memory addresses of some data stored in the memory are 
tagged to indicate that the data is persistent data. A 
list of tagged virtual memory addresses is stored starting 
at a physical memory address corresponding to a virtual 
25 memory address that is fixed for the operating system. 
After system reset, this virtual memory address, which can 
be "knovn" by the processor immediately after the system 
reset or "discovered" by the. processor during recovery of 
the fundamental operating system data, is used to access 
30 the list of tagged virtual memory addresses. The tagged 
virtual memory addresses are used to allocate the 
corresponding physical memory locations in the memory so 
that other data cannot thereafter be stored in those 
memory locations during the recovery boot process. 
35 Subsequently, the recovery boot process can be 

completed using any physical; memory locations that have 
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not previously been allocated. Since only physical memory 
locations are used that have not been allocated during the 
recovery of the fundamental operating system data and the 
persistent data, persistent data is not destroyed by the 
5 remainder of the recovery boot process. 

An advantage of the system and method according to 
the invention is that persistent data can be recovered 
after a system reset without unduly constraining the usage 
of memory. For example, it is -not necessary, as is the 
10 case of other systems, to specify a region of memory for 
storage of the file system. * Unlike other systems in which 
a pre-defined area is set aside for file system storage, 
i.e., a region in memory of fixed size is allocated only 
for the file system, in the recovery boot system and 
15 method according to the invention, the exact locations and 
sizes of all portions of the file system are determined at 
boot time. Thus, memory fragmentation, i.e., memory space 
allocated for a specific type of data that remains unused 
by data of that type, does riot occur with the recovery 
20 boot system and method of the invention. Consequently, 
the recovery boot system and method according to the 
invention allow a. more dynamic allocation of memory 
between file system data and run time data. Such 
flexibility is particularly useful for computer systems 
25 that include an operating system with complex file system 
structures that require a large 1 area of memory for run 
time data storage, since more memory is made available for 
those run time data structures. 

BRIEF DBfin?TPT.Tm> 0F TH R npawTM/^c 

30 Figure l is a block diagram illustrating a computer 

system according to the invention. 

Figure 2A is a block diagram of a recovery boot 
process according to an embodiment of the invention. 
Figure 2B is a block diagram of a recovery boot 
35 process according to another embodiment of the invention. 
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Figure 3A is a schematic: representation of mapping of 
a virtual memory address to a physical memory location 
using paged segmentation according to one embodiment of 
the invention. 

.5 Figure. 3B. is a schematic representation of mapping of 

a virtual memory address to a physical memory location 
using non-paged segmentation according to another 
embodiment of the invention* ^ 

Figure 4A is a diagram of the data structure of a ROM 

10 for use with the invention. 

Figure 4B is a diagram of a ROM item defined within 
the ROM of Figure 4A. 

Figure 4C is a diagram of ah Elf file defined within 
the ROM item of Figure 4B. 
15 Figure 5A is a block diagram of the fundamental 

operating system data initialization step of Figure 2A 
according to an embodiment oh the invention. 

Figure 5B is a block diagram of the fundamental 
operating system data initialization step of Figure 2A 
20 according to another embodiment of the invention. 

Figure 6 is a block diagram of the persistent region 
recovery step of Figure 2A according to an embodiment of 

Figure 7A is a block diagram of the system free list 
25 initialization step of Figure 2A according to an 
embodiment of the invention.' 

Figure 7B is a block diagram of the system free list 
initialization step of Figure 2B according to an 
embodiment of the invention. 



30 PEraiWD DESCRIPTION OF i M BODTMBHTfi at? THE THVKWTTnw 

According to the principles of the invention, a 
computer system that uses a yandom access memory or 
equivalent memory to store operating system data and 
"persistent" data (defined below) includes a recovery boot 
35 system that implements a method for recovering the 
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persistent data after a system reset that necessitates re- 
initialization of operating system data into the memory. 
Specifically, the recovery boot system according to the 
invention allocates memory during re-initialization of the 
5 operating system data into the memory such that new memory ' 
allocations do not conflict with persistent data 
allocations made prior to the system reset. 

Herein, -persistent data- is any data stored in the 
memory that is designated to be retained after a system 
10 reset. Persistent data typically includes data that is 
generated during use of the computer system that would 
take a significant amount of effort on the part of a user 
of the computer system to recreate, or that probably 
cannot be exactly recreated by the user, m one 
15 embodiment, persistent data includes, for instance, the 
file system data created and: continuously updated during 
use of the computer system. ! The file system data 
includes, for example, data generated by a user such as 
text created using a word processing application program 
20 or a database created using a database application 
program. 

Each instance of data stored in the memory is 
associated with a virtual memor^ address used by a 
processor (also part of the computer system) to identify 

25 and access the physical memory location of the data in the 
memory. Data required for translating the virtual memory 
addresses of both operating system data and persistent 
data to physical memory addresses are retained through the 
system reset. After the system reset, the retained 

30 translation data are used to map the virtual memory 

addresses of fundamental operating system data to phvsical 
memory addresses. The fundamental operating system data 
is data that. is sufficient to allow operation of the 
kernel and code that interfaces the operating system to 
35 various system hardware. Consequently, after the system 
reset, the fundamental operating system data is stored in 
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the sae physical memory locations as before the system 
Cthe nhvT I " ,yEiCal " ,el " 0ry 10C " 10 " 5 O- 

system data was stored prior to the system 
». reset, reinitialisation of the fundamental operating, 

n v T, a0M ™ «J « the persistent data. 

, I*** 1 "* 1 »«»ory addresses corresponding to the 

Physical memory locations ,t »hich the tunaaneM al 

^1 r p f 1 — iocatw «»* »» — to 

store other data. 

in the recovery boot proems of this invention after 

, :: o ry n ocation for the t ^^ lop ^™^ 

15 data' th!" reCOV6ry ° £ ^ t 011 ^ tal °^ rati ^ -yt» 
option rrt S r tent ^ iS " 6C0Vere ^ ^ norLl 
2Ir~ ! COIDPUter 5yStem ' the »«ory 

-ess that is fixed tor SCX^^T^ 

E^CIT VlrtUal m&miy " 
.r" * *"* P r ° t »«« immediately atter r .,. t 

discovered" by the processor during recovery of the 

^tl 0 ^"^ ****** - explained in more 

art.il below, re used to access the list of tagged vlr-ual 
memory addresses. »e tagged virtual memory aldr.sle\\« 
mapped to physical memory addresses and the physical 
~mory addresses are marked to indicate th« i I 
30 Be stored »* indicate that data cannot 

"l'V e Physical memory >ocatio„s. 

systel Z . *7 "^""tin, a computer 

Mstem ioo. according to the invention. Microprocessor 10 , 
interfaces with a random access memory », e!g a " 

35 Z L""' 0 "' TCBOry ' a -4' 

(ROM) 103, and other computer circuitry 104. 
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In Figure 1, only the components of computer 
system 100 required to understand the recovery boot system 
and method according to this invention are illustrated. 
Those skilled in the art will appreciate that computer 
5 system loo also includes structure for accepting user 
input to computer system 100 such as a keyboard or a pen 
stylus, an output display device such as a back-lighted 
liquid crystal display, and. structure for housing and/or 
supporting each of the components of computer system 100. 
io Additionally, each of the components of computer 

system 100 are interconnected using structure known to 
those skilled in the art. A computer system 100 suitable 
for inclusion of the recover^ boot system according to the 
invention is sold by EO Inc.; of Mountain View, California 
15 as Model No. 440 or Model Ho. 880. 

ROM 103 has a data structure discussed more 
completely below, and stores all or the operating system 
data in, i.e., basic instructions for operating 
microprocessor ioi, for computer system ioo, such as 
20 kernel instructions, instructions for various libraries 
■ and services, and instructions kor graphics libraries, as 
well as instructions 112 for. the novel recovery boot 
system according to the invention. Any operating system 
compatible with microprocessor 101 can be used. In one 
25 embodiment, where microprocessor 101 is a Hobbit processor 
available from American Telephone and Telegraph (AT&T) , 
the operating system is the PenPoint operating system ' 
available from Go Corp. row 103 also stores applications 
programs such as word processing, data communications and 
30 graphics programs. 

RAM 102 is used during operation of computer 
system 100 to store data that it is desirable to make 
readily accessible to microprocessor 101, e.g., data that 
is frequently used, or read/write" data such as user data. 
35 Some, of the user data stored on RAM 102 is persistent 
data 112, as defined above. 
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During operation, computer system 100 way "crash" for 
any of a number of reasons such as, for instance, an 
internal software error, i.e., corruption of some of the 
data stored on RAM 102. often, the operating system is 
5 able to recover from the. crash on its own and does not 
require resetting of computer system 100. A crash from 
which the operating system cannot recover may be 
indicated, for instance, by detection and reporting of an 
error or by the failure of computer system 100 to respond 
10 to user input. When the operating system cannot recover 
on its own, computer system loo must be reset and RAM 102 
must be re-initialized with operating system data ill to a 
state that allows user operation of computer system 100. 
Computer system 100 contains hardware that allows the user 
15 to "manually" reset computer system 100 after a crash from 
which the operating system' cannot automatically recover. 

Computer system 100 can be manually reset in two 
ways: hardware reset and software reset (recovery boot). 
A hardware reset causes computer circuitry 104, RAM 102 
20 and certain other hardware, not'shown for clarity in 

Figure 1, to be re-initialized. In .particular, ram 102 i s 
re-initialized without regard to the state of ram 102 
prior to the hardware reset. Hence, all data stored in 
RAM 102 prior to the hardware reset, including persistent 
25 data 112, is lost, a software reset is less drastic. 
RAM 102 is re-initialized, as described below, so as to 
prevent certain important data, i.e., persistent data 112, 
from being lost. 

Generally, a software reset is preferred, a hardware 
30 reset is necessitated if the software reset does not 
return computer system 100 to a user operable state, a 
hardware reset may also be required, even though the 
software reset "works,- i.e.", computer system 100 can be 
re-initialized to a user operable state, if, after the 
35 software reset, the persistent data 112 is corrupted to 
the point that the persistent dska 112 is not usable. 
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in one embodiment of the invention, a hardware reset 
xs initiated by depressing a reset button so that, while 
power renins turned on to. computer system 100, computer 
Circuitry 104 and RAM 102 are fully re-initialised. 
5 . In one embodiment of the invention,- a software reset 
is vitiated by depressing the power button for an 
extended period of time, then releasing the power button. 
Any desired length of time can be used and the passage of 
sufficient time can be indicated by, for instance, an 
10 audao signal such as a succession of beeps, m a further 
embodiment, the tone of a succession of beeps changes when 
the power button has been depressed for a sufficient time 
to initiate a software reset. Depression and release of 
the power button as described above each generate an 
15 interrupt so that a software reset is initiated. 

Figure 2A is a block diagram of recovery boot 
process 200 according to an embodiment of this invention. 
Recovery boot process 200 begins with system reset 

20 software 5 ' T" ^ lnClUdeS * — -^iated 

software reset, as described above, immediately after 

initiation of the software reset, certain hardware, such 

as a power controller, a communications port, and a 

display screen, are initialized. One embodiment of a 

25 IZZ^T™ 11 ** f ° r U6e With this invention-is 

described ih copending, commonly owned, U.S. Patent 

clrcuTi 0 " SCrUl N °* ??/??? ' ??? ««tl«I »A Power Supply 

Z2 \ P ° Wering a C °^ ter and - ^-nal 

Device from a single Battery Power Source," by David 

Anthony Chavez, Ron A. Balczewski, and Bernard Jean 
30 Lacroute, filed on the same date as the present 

application, the pertinent disclosure of which is herein 
incorporated by reference. 

RAM 102 is initially unavailable for use by 
microprocessor 101 during system reset step 205 so that 
there is no danger of destruction of persistent data U2 
stored in RAM 102 . as explained in more detail below, as 
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recovery boot process 200 progresses through the initial 
stages, certain pr e- d e ri n e d locations of m 102 gradually 
become available for use by microprocessor 101. 
Mxcroprocessor 101 does not have free use of RAM 102 until 
5 persistent data 112 has been recovered, as explained 
below. 

In fundamental operating system data initialisation 
step 210, certain operating- system data, referred to 

10 net! " ' ,fUndamental astern data," that are 

• io necessary to enable operation of the kernel and the mill 
are recovered to permit a basic level of operation of 
computer system 100. <The fundamental operating system 
data are stored in ROM 103. 

is m I* emb ° diment ' at th « ^ginning of fundamental 
15 operating system data initialization step 210, only a 
Physxcal memory address in ROM 103 of a data structure 
that enables boot code, i.e., code that COJltrols the 
initialisation of the hardware p f computer system ioo. to 
begxn to be processed by microprocessor 101 is available 

The boot code includes instructions that, along with the 
*nown ROM data structure, allow -discovery. o/physLT 
-mory locations in ROM 103 that store virtual memory 

25 ooeraT" "* PhySlCal ~ "«°-~ ° f ^ fundamental 
25 onerat^g system data as existent before system reset 

step 205. These virtual and, physical memory addresses are 

used to re-initialise segment and page table entries 

corresponding to the fundamental operating system data, 

30 , r* 1 * C ° Pyin9 ° f Certain ^^al operating 
30 system data to ram 102 . TnuS/ ^ fundaMei)taa operati 

system data is stored at the same physical memory 
locations as were used before recovery boot process 200 , 
thereby ensuring that recovery of the fundamental 
operating system data does not destroy persistent 
35 data 112. . 
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Acceding to the invention recovery tooot 
persistent data 112 is not destroyed by the re- 

■» Perl^Tfr ° £ " 2 " ith "»««!*»». .yste. data. . . 
' ZIT " 2 Mrked 3S ^"i^-t at some ti M 

Zl 17 20S - »* —*U. persistent 

inxti,v T "** " P - Sistent th. first 

initiation of the operating syste» of computer 

« °T "tefa h' 6 ;' " hen "° 1S "-' turned 

AV on ' a «er a hardware reset c»y rin^-j^^ 

5ei: ' or aurang normal operation of 
colter syet» loo. In one ' eabodlnent of the invention 

ZlZ'lT 1,9016 " le aysteB of c ~ - 

is marked as persistent data 112 The f-n* ^ ^ . 

inif f»i.«» - - - * flle s y st «™ data is 

15 ope~ ! " ^ Wti.li„tlon of the 

gating syste* of colter system 100 and updated durinc 
norinal operation of computer system 100. * 

initioli^r^f ° f fUndalBental gating syste* data 
initio^ation step 210, persistent data lla is recovared 
in persistent region recovery step 220 a • 
20 the v^h„i ^ P ■ ' A re ?ion table, 

cperlti,^ 8ddrCSS ° f UWCh " by the 

cperat „ 9 systen, and "discovered- during fundamental 

TLt of ~r T ^ ll,itlali "«- ~P 2 io, inches a 

"Sud^tn r S ^ ° f VlrtMl — Besses 
.LIT re9i ° n ^ M attrlb » te indicates 

regit TcZ™ ^ Vlrt ° al "*«» -*«- within the 
Persistent aT" PhySlCal — ' ■*«. 
reviewed, yor each virtue! .eMory address of each region 

^llTmi h « -*« «• "«cate t£t 

corresponding physical »e„ory locations are allocated 

35 „ t " r CM, P leti ™ <* Persistent region recovery 
li-t initiation step 230.' Per each region in the 
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region table, the segment and page table entries 
corresponding to virtual addresses in the region are 
reviewed. Physical memory addresses of physical memory 
locations that are being used are identified and the 
. 5 system free li e t is created, as a list of the remaining ■ 
physical memory addresses. 

In contrast, in previous methods for re-initializing 
RAM after a software reset, .all of the RAM memory 
locations were immediately placed on the system free list. 
10 The operating system data was mapped to any available 
physical memory locations within the RAM. Thus, the 
operating system data could be stored in physical memory 
locations that contain user data prior to the system 
reset, thereby destroying the user data. 
15 After system free list initialization step 23 0 is 

completed, the next step in- recovery boot process 200 is 
system start-up step 240. system start-up step 240 
includes, among other things, iAiitialization of 
input/output devices, further initialization of parts of 
20 the operating system kernel, e.g., memory manager and 
memory allocator, and initialization of device drivers. 

After system start-up step 240, the next step in 
rec °very boot Process 200 is file system recovery 
step 250. In file system recovery step 250, the data 
25 structure, i.e., file system, that stores information 
regarding the files stored in RAM 102 and ROM 103 is 
recovered. The file system Includes information regarding 
the name, location, permission and attributes of each 
file. The file system also includes information regarding 
30 the presence of other volumes or disks. 

upon completion of file system recovery step 250, 
computer system 100 completes recovery boot process 200 by 
initializing the remaining parts of the operating system 
such as additional libraries anji applications that are 
35 part of the operating system. 
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Figure 2B is a block diagram of recovery boot 
process 260 according to another embodiment of the 
invention. Recovery boot process is similar to recovery 
boot process 200 and like 6teps are indicated by the s ^ 
5 numerals used in Figure 2A. The above description of" 
steps in process 200 with the same reference numeral as 
the steps in process 260 are incorporated- herein by 
reference. 

In recovery boot process 260, fundamental operating 
10 system data initialization step m and system free list 

initialization step 231 are slightly different than 
fundamental operating system data initialization step 210 
and system free list initialization step 230, 
respectively, and persistent data recovery 220 is 
15 eliminated. Recovery boot process 260 differs from 
recovery boot process 200 in that fundamental operating 

system data and persistent data n-> » 

* aata 112 that are recovered are 

*ot marked as used during recovery boot process 260, i. e 
the segment and page table entries corresponding to 
20 fundamental operating system data and persistent data hp 
ara not marked when recovered. Rather, recovery boot 
process 260 takes advantage of the fact that during 
operation of computer system ioo prior to system reset 
step 205, both fundamental operating system data and 
25 persistent data 112 are marked in the region table as 

persistent," i.e., a persistent attribute is "turned on." 
During system free list initialization 231, the region 
table is scanned and thephysical memory addresses of all 

30 Vi e rtlTl data re " OVed fr ° m the syste * 

, SSeS ° f PCrSiStent data 112 
from the last of available virtual memory. 

S y^temT e VT Very b ° 0t Pr ° CeSSeS 200 and 260 inCl ^* - 
«y.*» reset step 205 that, in turn, included a software 

reset. Computer system 100 alsjb can recover from a 
35 processor reset in a manner similar to recovery boot 
process 200 or 260- A processor reset is a non-user- 
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initiated reset, i.e., an automatic reset, that occurs 
when microprocessor 101 attempts to take an exception, and 
the process of taking an exception takes an exception. At 
that point, the only thing microprocessor 101 can do is 
5 reset. In a method according to the. invention for •■ 
recovering after a processor reset, microprocessor ioi 
goes through a processor reset state in which 
microprocessor ioi determines whether a hardware or 
software reset is required, and, if a software reset is 
10 retired, begins one of recovery boot process 200 or 260. 
In computer system 100, i the segment table and, 
-therefore, page tables are available to microprocessor ioi 
shortly after system reset step 205 because the physical 
m««nory base address of the segment table is "discovered » 
15 as explained in more detail below, during the initial ' 
stages of fundamental operating system data initialization 
step 2io. Discovery of this physical memory base address 
can be accomplished either by structuring the operating 
system to store the physical* memory, base address of the 
20 segment table, e.g./ at a physical memory address 

identified within the boot data structure, the boot data 
structure having been "discovered" at an earlier stage of 

fundamental- operating system data initialization step 210 
or by structuring the computer system hardware' so that the 
25 physical memory base address of the segment table is 
always known, e.g., by having one of the registers of 
microprocessor ioi store thej physical memory base address 
of the segment table. 

Recovery boot process 200 takes advantage of the 
30 preservation of the physical memory base address of the 
segment table to, with other tables, re-initialise 
RAM 102, as explained below, without destroying persistent 
data 112 stored in RAM 102 prior to the system reset. The 
segment table and associated pa^e tables are used to 
35 translate virtual memory addresses into physical memory 
addresses of persistent data 112 so that the persistent 
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. data 112 is restored to the same physical memory locations 
m RAM 102 as used prior to recovery boot 
process 200 or 260. 

Computer system 100 has a memory structure including 
5 a physical memory address space, and a virtual memory 

address space. The physical memory address space includes 
the entire set of physical memory addresses. The system 
controller (not shown) associates portions of the physical 
memory address space with particular pieces of hardware, 
10 x.e. one or more particular physical memory locations, 
such as ROM 103, RAM 102 or input/output ports (not 
shown) . However, not all physical memory addresses 
necessarily. refer to actual physical memory locations, and 
more than one physical memory address can refer to the 
15 same physical memory location. The virtual memory address 
space includes the entire set of virtual memory addresses 
Portions of the virtual memory fcddress space are 
associated with particular pieces of software, either 
dynamically or statically. 
20 i„ one embodiment, the virtual memory address space 

and the physical memory address space are the same size. 
The software of computer system 100 accesses data stored 
withxn the hardware of computer system 100 by translating 

known virtual memory addresses to physical memory 
25 addresses and accessing the data stored at the 
corresponding physical memory location. 

Figure 3A is a schematic representation of mapping of 
virtual memory address 300 to physical memory 
location 331-3 in physical memory page 330 using paged 
30 segmentation according to one embodiment of the invention. 
Virtual memory address 300 is four bytes (32 bits) long 
and includes segment table offset 301, page table 
offset 302 and page offset 303 Segment table offset 301 
includes io bits (bits 22 through 31), page table 
35 offset 302 includes io bits '(bits n through 21), and page 
offset 303 includes 12 bits (bits 0 through 11) . it is to 
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be understood that virtual memory address 300 could be 
one, two, eight or some other number of bytes long, and 
that segment table offset 301, page table offset 302 and 
page offset 303 can include any desired number of bits. 
5 segment table 310, page table 320 and memory page 330 

are used by computer system 100 in translation of virtual 
memory address 300 to physical memory location 331-3. 

Each of segment table 310 and page table 320 are 
themselves a memory page. Segment table 310, page 

10 table 320 and memory page 330 each include 1000 four byte 
words, m segment table 310, each word is one of the 
segment table entries 311-1 through 311-N. m page 
table 320, each word is one of .the page table entries 
321-1 through 321-N. i n memory page 330, each word is one 

15 of the physical memory locations 331-1 through 331-N. 
Herein, "word" refers to the primary unit of 
information used by microprocessor 101. it is to be 
understood that the computer' system, and method according 
to the invention are equally applicable to computer 
20 systems having a segment table, page tables and memory 
pages including a different number of words or words of a 
different size. . 

- " Segment table entry 311-2 includes physical memory 
address 312, and region 313 that includes permission and 
25 read/write attributes. Each,' of the other segment table 
entries 3U-i and 3U-3 through 3U- N similarly include a 
Physical memory location, and permission and read/write 
attributes. Likewise, page table entry 321-4 includes 
Physical memory address 322, and a region 323 that 

30 includes permission and read/write attributes. Each of 
the other page table entries 321-1 through 311-3 and 321-s 
through 321-N similarly include a physical memory 
location, and permission and read/write attributes. The 
read/write attributes in regions 313 and 323 indicate 

35 whether the segment table entry 311-2 and page table 
entry 321-4, respectively, have been written to or read 
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from. The permission attributes in regions 313 and 323 
indicate whether the segment table entry 311-2 and page 
table entry 321-4, respectively, are protected at kernel 
level or user level. 
'5 Though not shown, there are a plurality of page 

tables, e.g., page table 320. The physical memory address 
in each segment table entry, e.g., physical memory 
address 312 in segment tablet entry 311-2, is a physical 
memory base address of one of the page tables, e.g., 
10 physical memory base address 324 of page table 320. 

Likewise, there are a plurality of memory pages, 
e.g., memory page 330. The physical memory address in 
each page table entry, e.g., physical memory address 322 
in page table entry 321-4, is a physical memory base 
15 address of one of the memory pages, e.g., physical memory 
base address 334 of memory pag^l 330. 

Translation of virtual memory address 300 to physical 
memory location 331-3 occurs as follows. Segment table 
offset 301 in virtual memory address 300 is combined with 
20 physical memory base address 314 of segment table 310 to 
yield physical memory address 315 of segment table entry 
311^2. Physical memory address 312 in segment table entry 
311-2 specifies the physical memory base address 324 of 
page table 320. 
25 page table offset 302 ijn virtual memory address 300 

is combined with physical memory base address 324 to yield 
physical memory address 325 of page table entry 321-4. 
Physical memory address 322 in page table entry 321-4 
specifies physical memory base address 334 of memory 
30 page 330. Page offset 303 in virtual memory address 300 
is combined with physical memory base address 334 to yield 
physical memory address 335 of jphysical memory 
location 331-3. . . 

Figure 3B is a schematic representation of mapping of 
35 virtual memory address 340 to physical memory 

location 361-2 using non-paged segmentation according to 
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another embodiment of the invention. Virtual memory 
address 340 is four bytes long and includes segment tabic 
offset 341 and segment offset 342. Segment table 
offset 341 includes 10 bits (bits 22 through 31) and 
5 segment offset 342 includes .22. bits, (tits o through 21) •. . 
As above, virtual memory address 340 can be other than 
four bytes long, and segment table offset 341 and segment 
offset 341 can include any number of bits. 

Translation of virtual memory address 340 to physical 
10 memory location 361-2 occurs as .follows. Segment table . 
offset 341 in virtual memory address 340 is combined with 
Physical memory base address 314 of segment table 310 to 
yield physical memory address 355 of segment table entry 
311-4. Physical memory address 352 in segment table entry 
15 311-4 specifies physical memory base address 364 of 
segment 360. Segment offset 34*2 in virtual memory 
address 340 as combined with physical memory base 
address 364 to yield physical memory address 365 of 
physical memory location 361-2. 
20 Ea ch segment table entry 311-1 through 3 11-N includes 

in region 313 or 353 a bit which indicates whether the 
Physical memory address, e.g., physical memory address 312 
or 352, in segment table entry 311-1 through 311-N points 
to a page table (paged segmentation) or to a segment (non- 
25 paged segmentation) . m one| embodiment, only paged 
segmentation is used by recovery boot process 200 for 
translation of virtual memory addresses to physical memory 
locations . 

As described above, a portion of RAM 102 must be 
30 initialized with fundamental operating system data from 
ROM 103 in fundamental operating system data 
initialization step 210 before persistent data 112 can be 
recovered in persistent region recovery step 220. To 
begin fundamental operating system data initialization 
35 step 210, microprocessor 101 accesses a predetermined 
memory location in SOM 103 which, in turn, enables access 
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to a memory location or locations in ROM 103 which store 
mapping information, i.e., information matching physical 
-memory addresses in BOM 103 to virtual memory addresses, 
for the data stored on ROM 103. This mapping information 
5 is used to re-initialize segment table and page table 
entries for fundamental operating system data stored on 
ROM 103, 

In one embodiment, each re-initialized segment table 
and page table entry is marked to indicate that the 

10 particular physical page or pages corresponding to that 
entry are no longer available, i.e., future allocations of 
data cannot be made to these physical memory locations. 
Thus, the mappings of fundamental operating system data 
that existed before the system reset are preserved after 

15 the system reset through use ofj the information in 

ROM 103. Consequently, no fundamental operating system 
data is mapped to a physical memory location that contains 
persistent data 112 so that no persistent data 112 can be 
destroyed by the fundamental operating system data 

20 initialization step 210. Persistent data 112 can then be 
recovered during persistent data recovery step 220. 
Subsequent to persistent data recovery step 220, the 
remainder of recovery boot process 200 can proceed without 
. regard to the particular mappings of data to physical 

25 memory locations. 

Figure 4A is a diagram of the data structure of 
RpM 410. ROM 410 includes ROM data header 411, map 
table 412 , and ROM items 413-1 through 413-N. Hereafter, 
ROM items 413-1 through 413-N are designated collectively 

30 by the numeral 413; particular ROM items are designated as 
one of ROM items 413-1 through 413-N, e.g., ROM item 
413-1. ROM data header 411 includes, among other things, 
the beginning physical memory address of map table 412 in 
ROM 103, the number of entries in map table 412, the 

35 beginning physical memory address of the first ROM 
item 413-1 and the number of ROM items 413. 
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Figure SA is a block diagram of fundamental operating 
system data initialization 210 according to an embodiment 
of the invention, in system reset step 205, a program 
counter of microprocessor 101 is set to zero so that 
5 microprocessor 101 knows to access the beginning data (for 
the Hobbit microprocessor, the first six bytes) in ROM 
data header 411. The physical memory address of ROM data 
header 411 is hard-wired inti microprocessor 101 so that 
microprocessor 101 always knows where to locate ROM data 
10 header 411. 

As shown in- step 501, microprocessor 101 locates and 
accesses ROM data header 411. Microprocessor 101 is 
instructed to jump to a ROM physical memory address which 
marks the beginning of boot cdde for controlling recovery 

15 boot process 200. Appendix A i£ a computer program 
listing of boot code for use. in one embodiment of this 
invention. The boot code is written in the C computer 
language and Hobbit assembly language for an AT&T 92000 
family set of computer chips including a Hobbit processor 

20 and ASIC chip set. The boot code is executed by 

microprocessor 101 by directly accessing the physical 
memory addresses of the boot code, i.e., translation of 
virtual addresses using the segment table and page tables 
is not necessary. • 

25 Among other things, the boot code looks at a register 

of microprocessor 101 to determine if system reset 
step 205 is a hardware or software reset. As noted above, 
recovery boot process 200 takes place only if a software 
reset has been initiated, if a software reset has been 

30 initiated, this microprocessor register indicates the 
physical memory base address of the segment table, an 
important piece of information that is used later in 
recovery boot process 200. 

Hear the end of execution of the boot code, the boot 

35 code instructs microprocessor 101 to access ROM data 
header 411 again. Microprocessor 101 retrieves the 
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- Physical memory base address of map table 412 and accesses 
map table 412, as shown in step 502. Map table 412 
includes a series of map table entries. Eac h map table 
entry includes: <i> information indicating the type of 
.5 data,. i.e,, executable- image of code, read-only data ot 
read/write data, referred to by the map table entry, (ii) 
person bits for the data, e.g., Kernel or use7access 

Z°Z. >'J 1 lnstructlon8 to *"her copy the data from 
ROM 103 to RM, 102 and map the data fro* M 102 to 
10 vxrtual addresses, or map the data directly from ROM 103 
to virtual addresses, (iv) a virt u al memory address 
and a virtual ffleM ory address length, and (v) a Rom offset 
and a ROM address length. onset 

in step 503, microprocessor 101 accesses the first 

rwht? ent r ^ ^ 5 ° 4 ' & ^ made as 

to whether a ROM mapping or a ram mapp i ng is to be made. 

is to h ™ ■* bo ? i ~ nt of th * Mention, if a rom mapping 
is to be made, microprocessor 101 uses each of one or more 
«P table entries to map all of the data stored in ROM 103 
20 to a corresponding set of virtual addresses, m another 

JoZ 'I™" table CntrieS t0 »** dat * «- or 

tabled ° f ' ** - - — -p 

"..system data from ROM 103. 

virtJr T 6 " 507 ' 0,6 Virtual *™ ory add " ss and 
virtual --«y -a*- len 9 th i„ ^ Mp ^ are 

th , 6 * rM9e °' Vlrta<,1 — «» ** 

def ami „ °* table entr l' «™ to 

TTT * riU,9e ° f PhySi0i ' 1 I * ,n0ry i" HOB 103 

=f the data described by t,,. Bop table 

deterged virtual M „ory addreas ranae an a physl J 

H Z COrreSP ° nal "' to «~ **. are initiaXized. Thi. 
« done even thou 9 h, typically, each of the se^ent table 
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and page table entries that map ROM data from the virtual 

memory address space to the physical memory address space 

already exist. Re-initialization ensures that any 

corrupted entries in the segment table and/or page tables 

5 are corrected, and allows the opportunity to reset 

permission bits, e.g. , data protected at kernel or user 

level, in the segment table Lnd/ or page table entries. 

If, in step 504, it is' determined that a RAM mapping 

is to be made, i.e., sections of data stored in ROM 103 

10 are to be copied to RAM 102, in step 505, microprocessor 

101 accesses the physical memory location in ROM 103 

corresponding to the beginning physical memory address 

given by the ROM offset. The ROM address length indicates 

the number of physical memory addresses, i.e., amount of 

15 data, from which data are to. be copied to RAM 102. The 

virtual memory address offset and virtual memory address 

length in the map table entry are used to determine a 

range of virtual memory addresses corresponding to the 

data to be copied from ROM 103. The amount of data copied 

20 from ROM 103 can be equal to or less than the magnitude of 

the virtual memory address range. The data to be copied 

can be either an executable ,image of code, read-only data 
or read/write data. 

As shown in step 506, data is copied from ROM 103 to 
25 RAM 102 arid mapped from' RAM 102 to virtual addresses. The 
segment table and page tables in RAM 102 are used to 
determine corresponding physical memory addresses, i.e., 
physical memory locations in ram 102, for each of the 
virtual memory addressee. At this point, the mapping and 
30 copying can be done in any ordep. Moving sequentially 
through the data in ROM 103, microprocessor 101 copies 
each piece of data to a physical memory location 
corresponding to the physical memory address translated 
from the virtual memory address that corresponds to the 
35 piece of data being copied. 
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The data in RAM 102 are also mapped to virtual 
addresses, i.e., the corresponding segment and page table 
entraes are initialized. The physical addresses in 
RAM 102 are used, along with the corresponding virtual 
• 5 addresses, to initialize the segment table and page 
tables. This is done, even though each of the segment 
table and page table entries, must already exist, so that 
permission bits can be reset' for each of the segment table 
and page table entries. 
10 Since the segment table and page table entries used 

to determine the physical memory addresses in RAM 102 at' 
which to copy data from ROM 103 are the same as the 
entries existing prior to system reset step 205, the data 
in ROM 103 is stored in the samW physical memory locations 
15 in ram 102 as before the system reset, so that no 

persistent data 112 are inadvertently destroyed. Unlike 
the direct mapping of data from ROM 103 (step 507) 
copying of data from ROM 103 to RAM 102 necessitates that 
segment table and page table entries for the data be 
20 uncorrupted. 

The physical memory pages of RAM 102 to which 
fundamental operating system data has been copied are 
removed^from the system free list during system free list 
initialization step 230 by checking a region table, 
25 described in more detail below, and removing the pages 
after determining that the pages are marked as persistent 
in the region table, as also described' in more detail 
below. 

According to one embodiment of the invention, in 
step 510, during mapping of dath from RAM 102 to virtual 
addresses, a bit in each of the segment table and page 
table entries is marked to indicate that the corresponding 
Physical memory location has been used. The marked 
entries are then eliminated from the system free list 
35 during system free list initialization step 230, discussed 
w detail below. This embodiment- of fundamental operating 
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system data initialization step 210 is used in recovery 
boot process 200 illustrated in Figure 2A. 

According to another embodiment of the invention, the 
segment table and page table entries are not marked, i.e.,- 
5 step 510 is eliminated from the method. The physical • 
memory pages of RAM 102 to which fundamental operating 
system data has been copied hre removed from the system 
free list during system free list initialization step 231 
(Figure 2B) by checking a region table, described in more 
10 detail below, and removing the pages after determining 
that the pages are marked as persistent in the region 
table, as also described in more detail below. This 
embodiment is designated as fundamental operating system 
data initialization step 2ll in" recovery boot process 260 
15 of illustrated in Figure 2B.. 

As shown in step 508, a determination is made as to 
whether the last map table entry has been processed, if 
not, the next map table entry is acessed (step 503) and 
either a rom mapping or RAM mapping (block 504) is carried 
20 out by microprocessor 101 as described above. If the last 
map table entry has been accessed, then the recovery boot 
process continues,, as shown in step 508. 

Figure SB is a block diagram of the fundamental 
operating system data initialization step 210 according to 
25 another embodiment of the invention. The data structure 
of ROM 103 is the same for each of the embodiments of 
fundamental operating system data initialization step 210, 
shown in Figures 5A and SB, respectively. 

As in the embodiment of step 210 illustrated in 
30 Figure 5A, in step 501, ROM da^a header 411 in ROM 103 is 
located and accessed. Boot. code execution is initiated 
and, during execution of the boot code, ROM data 
header 411 is accessed again to determine the location of 
map table 412. 

35 in step 502, map table 512 is located and accessed. 

Map table 412 includes map table entries, each map table 
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entry including information as discussed above with 
respect to Figure 5A- 

In step 511, the map table entries are used to map 
data as described above with respect to steps 505, 506 and 
5 507- of Figure 5A. After- all of the map table entries have 
been used to map data, the Boot code instructs 
microprocessor 101 to access ROM data header 411. 
Microprocessor 101 accesses ROM data header 411 to 
determine the beginning physical memory address of the 
10 first ROM item 413-1. 

In step 512, microprocessor 101 accesses the 
beginning physical memory location of ROM item 413-1. If 
data from ROM item 413-1 is to be initialized, based upon 
a determination described in more detail below and shown 
15 in step 513, microprocessor- 101 initializes all data from 
first ROM item 413-1, as also described in more detail 
below and shown in steps 514 and 515. Whether or not the 
data from first ROM item 413-1- was initialled, 
microprocessor 101 then moves to the physical location in 
20 ROM 103 at which the second ROM item 413-2 begins. The 
location of the start of the second ROM item 413-2 is 
known because second ROM itfcn 413-2 begins at the physical 
memory address in ROM 103 immediately after the last 
physical memory address of ROM item 413-1. If indicated, 
25 microprocessor 101 initializes all data from second ROM 
item 413-2. Microprocessor 101 then continues to 
successively initialize data from ROM items 413, as 
appropriate, as described above, until the last ROM 
item 413-N is checked, as shown in step 517. When the 
30 last ROM item 413-N has been checked, the recovery boot 
process continues, as shown, in step 518. 

To assist in understanding steps 514 and 515 of this 
embodiment of fundamental operating system initialization 
step 210, the structure of ROM items 413 is first 
35 explained. Figure 4B is a diagram of a ROM item 413-1. 
Each of ROM items 413 has the same structure as described 



WO 95/12848 



PCT/US94/12567 



- 29 - 

below for ROM item 413-1. m one embodiment of the 
invention, ROM item 413-1 includes ROM item header 414, 
ROM item namespace 415, ROM item attributes 416 and ROM 
item data 417. ROM item header 414 includes a ROM item 
5 namespace offset, a ROM item namespace size, a ROM item 
attributes offset, a ROM ifem attributes size, a ROM item 
data offset, a ROM item data size, and several flags. 
Each of the offsets specify a beginning physical memory 
address in ROM 103 of the corresponding part of ROM 
10 item 413-1. Each of the sizes define the ending physical 
memory address in ROM 103 of the corresponding part of rom 
- item 413-1. 

In another embodiment of the invention, the ROM item 
header 414 of each ROM item 413 includes the size of the 
15 ROM item 413. However, this information is not necessary 
to implement the invention - . 

The flags in ROM item header 414 indicate permission 
attributes of ROM Item 413, i.e., whether ROM item 413 is 
part of the operating system kernel or a user item, and 
20 whether ROM item 413 must be initialized at boot time. 
This latter attribute is the most important for purposes 
of recovery boot process 2 bo because it indicates whether 
ROM item 413 is to be initialized during fundamental 
operating system data initialization step 210. 
25 ROM item namespace 415 stores the name of ROM 

item 413-1. The name of the ROM item is the path name 
that a user would use to specify the location of the 
program, i.e. , ROM item data 417, that is stored in ROM 
item 413-1. This path name enables the program stored in 
30 ROM item 413-1 to be properly! located within the file 
system of computer system 200 during file system recovery 
step 250, discussed in more detail below. 

ROM item attributes 416 include information about 
characteristics of ROM item 413 such as whether ROM 
35 item 413 is initialized at boot time, whether ROM item 413 
is a kernel or user item, whether ROM item 413 is a 
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machine specific item, and whether ROM item 413 is a file 
or not. 

ROM item data 417 includes, among other things 
described in more detail below, the data constituting the 
5 program stored in ROM . item. 4 13 « ROM item data 417 is also, 
known as an Elf file. The structure of Elf file* 417 is 
defined in Unix™ System V, Release 4 Programmer's Guide: 
ANSI c and Programming Support Tools, Chapter 13. 
During fundamental operating system data 
10 initialization step 210, for each ROM item 413, the 
appropriate flag in ROM item header 414 is checked in 
step 513 (Figure 5B) to see if ROM item 413 requires 
initialization. If ROM item 413 does not require 
initialization, the ROM item data offset and ROM item data 
15 size are used to determine the ending location of ROM 

item 413 in ROM 103 and, therefore, the beginning location 
of the next ROM item 413 in ROM 103, so that the next ROM 
item 413 can be checked to determine whether that ROM 
item 413 is to be initialized. If ROM item 413 requires 
20 initialization, Elf file 417, i.e., ROM item data, is 

examined to proceed with fundamental operating system data 
initialization step 210. 

Figure. 4C is a diagram of Elf file 417. Elf file 417 
includes Elf file header 418, .program header table 419, 
25 executable image of code 420, [read-only data 421 and 

read/write data 422. Elf file' header 418 includes, among 
other things, a program header table offset, which 
indicates the beginning physical memory address in ROM 103 
of program header table 419, and the number of program 
30 headers in program header table 419. Program header 
table 419 includes a program header for each section of. 
data ("program") in Elf file 417,, i.e., executable image 
of code 420, read-only data 421 and read/write data 422. 
Read/write data 422 must be copied to RAM 102. Executable 
35 i ma g e of code 420 and read . only datQ 421 ffiay faQ ^ 

RAM 102. Though, in Figure 4C, only one section of 
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executable., image of code 420, read-only data 421 and 
read/write data 422 are shown in Elf file 417, it is to be 
understood that an Elf file 417 can include more than one 
section of executable image of code 420, read-only 
5 data 421 and/or read/write data 422. 

Each program header includes, among other things, a 
flag that indicates whether the program is executable 
image of code 420, read-only data 421 or read/write 
data 422. Each program header also includes: (i) a 
10 program offset that indicates the beginning physical 
memory address in ROM 103 of the program, and (ii) a 
- program size that, together with the program offset, 
defines the ending physical ^ernory address in ROM 103 of 
the program. The program offset and size define the 
15 physical memory location of the program in rom 103. Each 
program header further includes a beginning virtual memory 
address and a virtual program size that defines an ending 
virtual memory address for the program. The beginning 
virtual memory address and virtual program size define the 
20 range of virtual memory addresses at which the program is 
located. 

As shown in step 514 » for each Elf file 417 that 
:. contains .data requiring initialization during fundamental 
operating system data initialization step 210, 

25 microprocessor ioi uses the physical memory address range 
and the virtual memory address range specified in the 
program header for each program to initialize the segment 
table and page table entries corresponding to data to be . 
mapped from ROM 103 to virtual addresses, e.g., read-only 

30 data 421, as explained above' with respect to step 503 of 
Figure 5A and incorporatea herein by reference. Likewise, 
in step 515, data to be copied to RAM 102 is copied into ' 
RAM 102 and the data mapped from RAM 102 to virtual 
addresses, as described above with respect to step 506 of 

35 Figure 5A and incorporated herein by reference. 
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As an the embodiment of fundamental operating S y £ t era 
data initialization step 210 illustrated in Figure 5A, in 
a further embodiment of the embodiment of fundamental 
operating system data initialization step 210 illustrated 
5 in Figure 5B, in step 51*,, f or each piece of data copied 
to RAM 102, the segment t<able and page table entries are 
marked to indicate that the corresponding physical memory 
location has been used. . This embodiment is used in 
recovery boot process 200 illustrated in Figure 2A. In a 

10 further embodiment, the segment table and page table 

entries are not marked, i.e., step 516 is eliminated from 
- the embodiment of fundamental operating system data 
initialization step 210 illustrated in Figure 5B. This 
further embodiment is use.d in recovery boot process 260 

15 (Figure 2B) . 

After fundamental operating system data 
initialization, step 210, the operating system kernel of 
computer system 100 can run. once the operating system 
kernel can run, the virtual memory location of the region 
20 table ls accessible. The virtual memory location of the 
regaon table is translated, using the segment table and 
page tables, into a physifcal memory address so that 
microprocessor 101 can acpess the contents of the region 
table. The region table indicates, among other things, 
25 whether a particular virtual memory address or range of 
virtual memory addresses store persistent data 112. Using 
these virtual memory addresses, the segment table or page 
table entries, as appropriate, corresponding to virtual 
memory addresses of persistent data 112 are, in one 
30 embodiment, marked as used, like the fundamental operating 
system data above, so that the physical memory addresses 
corresponding to the persistent data 112 can be removed 
from the system free list during the system free list 
initialization step 230. 
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Fxgure 6 is a diagram of persistent region recovery 
step aao according to an embodiment of the invention. 
First, ln step 601, the region table that stores the 
persistent data 112 attribute for each virtual memory 
5 locatxon is located. In one embodiment of the invention, 
the begxnnxng of the regkon table is located at a pre- 
determined virtual memory address, as defined by the 
operating system, so that the beginning physical memory 
location of the region table in RAM 102 can be found by 
10 traversxng the segment table and page tables. In a * 

further embodiment, in which the PenPoint operating system 
. suppled by Go corp. operates on an A t*t Hobbit 

microprocessor, the beginning of the region table is 
located at a virtual address equal to Eocooooon. 

the b In 4 an ° ther the' virtual memory address of 

the beginrung of the region table is "discovered- by 
accessing the boot data structure wh . ch ^ stored J a 

pre-determined physical memory location in ROM 103 and can 
20 code " ^ " ^ ^ ° f eXeCUti - * f ^ *ot 

Each region, i.e., a contiguous block of virtual 
^mory, is represented b l a region table entry in the 

ofvirtuaf 6 * E3Ch Tegiln inClUdeS ^ 

of virtual memory addresses defining the region, 

25 permission attributes am * . ^ 

thW » v. I"' * Persistence Mag, among other 

thmgs. A region tabl , BJltry ^ 

ln step eo3 t0 deternlBe „ hether ^« — 
corresponding to the region table ,„ try ls Mr)!OJ „ 

30 !^ f ' Mar,tin9 01 ' **» " s ^i^ ^, as 
l^et 1 " ' ^ ^ " r " ^"iauzation of the 

operate syste » of colter eyste, 100 or during normal 
operation of computer system loo. 

tra n,ll?l tB9l l n ' " ** " processing 

35 taT I P 603 t0 StBP 602 and th « «"* 

I^Y ^ " MtrleVed - converseay. if the region is 
aarted as persistent, processing transfers fro* step 603 



WO 95/12848 



PCT/US94/12567 



- 34 - 



to step 604. in step 604, the virtual memory address 
range of the region is ascertained from the region table 
entry. 

After step 604, in step 605, the virtual memory base 
. 5 address of the fiwt virtual page in the virtual memory 
address range is ascertained, m step 606, the virtual 
memory base address of the virtual page is translated to a 
Physical memory address using the segment table and page 
tables . 

10 After translation of the virtual memory address to 

the physical memory address, in step 607, the 
- corresponding segment table entry is checked to see if the 
segment table entry is marked, if the segment table entry 
is not marked, then, in'step 608, the segment table entry 
15 is marked. Referring to rigure 3A, the segment table 
entry, e.g., segment table entry 311-2, is marked by 
appropriately setting one of the bits of region 313. 

Once the segment table entry is either marked 
(steps 607 and 608) or determined to have been previously 
20 marked (step 607) , in step 609, the page table entry in 
the appropriate page tafile is marked. Referring to 
Figure 3A, the page table entry, e.g., page table 
entry 321-4, i s marked by appropriately setting one of the 
Mts of region 323. By marking the segment table and page 
25 table entries of each virtual page within a region that 
stores persistent data, the physical memory base address 
of each physical page storing persistent data 112 is 
marked so that the physical memory base address can later 
be removed from the systeijfree list during system free 
30 list initialization step 230. 

After each page is marked in the page table 
(step 609) , in step 610, a determination is made as to 
whether the end of the virtual memory address range for 
the region being processed has been reached, if the end 
35 of the range has not been reached, then the virtual memory 
base address of the next virtual page is determined 
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(step 605), the virtual memory base address is translated 
to a physical memory base address (step 606) , and the 
associated segment and page table entries are marked 
(steps 607, 608 and 609), as described above. If the end 
5 of the range has been reached, then the next region, table 
entry is retrieved (step 602) and examined to determine 
whether the region includes persistent data (step 603) . 
All region table entries are checked in the manner 
described, all persistent data 112 is identified and the 
10 segment table and page table entries (i.e., physical 
memory addresses) corresponding to persistent data are 
marked, when persistent region recovery step 220 is 
complete, the system free list can be initialized. 

Figure 7A is a block' diagram of system free list 
15 initialization step 230 of Figure 2A according to an 
embodiment of the invention. At any given time during 
operation of computer system 100, the system free list 
includes all physical pages of memory that have not yet 
been allocated, i.e., physical memory locations at which 
20 data has not been stored. 

During the first Initialization of the operating 
system of computer system 100, a physical memory page is 

allocated for the system free list and marked as 

persistent. Thus, during the persistent region recovery 
25 step 220 of recovery -boot process 200, the physical memory 
page at which the system free list is stored is recovered. 
This page is used to store the new system free list 
generated during recovery boot process 200 by the system 
free list initialization step, it is necessary to 
30 allocate the same physical page for the system free list 
to ensure that persistent data 112 is not overwritten by 
allocation of a physical page for the system free list. 

To begin system free list initialization step 230, in 
step 701, all physical pages of memory, including those 
35 previously allocated during recovery boot process 200, 
i.e., pages allocated during fundamental operating system 
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data initialization step 210 and persistent data recovery 
step 220, are added to the system free list. 

In step 702, the region table is located and 
accessed. In step 703. the first region table entry is 
5 accessed. 

As discussed above with respect to Figure 6, each 
region table entry identifies a range of virtual memory 
addresses. In step 704, the beginning virtual memory 
address of each virtual memory page is accessed, m 
10 step 705, the segment table and page table entries 

corresponding to the beginning virtual memory address are 
checked to see if the entries are marked to indicate that 
the corresponding physical memory page has been allocated. 
If the physical page has been allocated, in step 706 
15 the physical page is removed from the system free list. • 
In step 707, a determination is made as to whether the 
last virtual page in the region has been checked. If the 
last virtual page has not been checked, then the next 
virtual page in the region is accessed (step 704) and 
20 checked to see if the corresponding physical page has been 
allocated. If the las* virtual page in the region has 
been checked, then, in step 708, a determination is made 
as to whether. the region table entry being processed is 
the last region table entry, if the region table entry is 
25 the last region table entry, then the recovery boot 

process continues, if the region table entry is not the 
last region table entry, then the next region table entry 
is accessed (step 703) asjj described above. 

If, at step 70S, it is determined that the physical 
30 page has not been allocated, *hen the physical page is not 
removed from the system free list. A determination is 
made as to whether the last page in the region has been 
reached (step 707) and, if appropriate, whether the region 
table entry being processed is the last region table entry 
35 (step 708) , and processing of region table entries and 
virtual pages continues as described above. Each region 
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is checked for allocated pages, and all allocated paqes 
are removed from the system free list. 

Figure 7B is a block diagram of system free list 
initialization step 2*1 o£ Figure 2B accorcling to an 
5 embodiment of the invention. In steps 701, 702 and 703, 

every physical memory; page is added to system free list 
and the first region table entry of the region table is ' 
accessed* 

1rt fc J n St6p 711 ' each ^ io » entry is checked, by 

10 checking the persistent attribute of the region table 
entry, to determine if the persistent data is stored at 
the physical memory locations corresponding to the region. 
If persistent data is not stored/the next region table 
entry is accessed (step 703)'. if persistent data is 
15 stored, in step 712. the beginning virtual memory address 
of each virtual memory page in the region is translated to 
the beginning physical memory address of the corresponding 
Physical memory page, and the physical memory page is 
removed from the system free list. 
20 m step 708, a determination is made as to whether 

the region table entry is the last region table entry." if 
not, then the next region table entry is accessed 
(step 703, and checked for the presence of persistent data 
(step 704). If SO/ then, in step 709, the recovery boot 
25 process continues. 

Since the region table includes only virtual 
addresses that have been allocated during previous 
operation of computer system ioo, scanning the region 
table eliminates checking of virtual addresses with which 

30 no data is associated: However, in another embodiment of 
the invention, all segment and page table entries m 
checked to determine if the corresponding physical page 
has been allocated, and all allocated pages are removed 
from the system free list. 

35 When the last region has been examined, system free 

last initialization step 230 is complete. The remaining 
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physical memory pages in the free list - those that have 
not been removed during system free list initialization 
step 230 - have not been allocated and are free to be used 
to store any data without possibility of destroying 

• 5 persistent data 112-. • This is • because, up to the point of 
system free list initialization step 230, no physical 
memory pages were allocated without making the allocation 
based upon the virtual memory map, i.e., the segment table 
and page table entries, existing prior to the system reset 

10 step 205. In other words, fundamental operating system 
data initialization step 210 and persistent region 
recovery step 220 lock out physical memory locations from 
the system free list so that- these locations cannot later 
be used to store other data that would destroy the 

15 fundamental operating system data or, in particular, the 
persistent data 112. Once system free list initialization 
step 230 is complete, the remainder of recovery boot 
process 200 can proceed without fear of destroying 
persistent data 112. 

20 After system free list [Initialization step 230, 

system start-up step 240 is performed, as discussed in 
more detail above with respect to Figure 2. Once system 
start-up 240 is complete, file system recovery step 250 
takes place. 

25 The file system is a set of data structures that 

describe a name-space and data that's contained within 
that name-space. The file system includes information for 
each of the files, such as the state of the file, whether 
the file is opened or closed^ whether the file has been 

30 written to, permission attributes, and whether the file is 
write-protected or not. 

The first time that the file system is initialized, a 
heap is created. A heap pointer is stored in the boot 
data structure. The file system is initialized from 

35 ROM 103 by scanning all ROM items 413 in ROM 103 and 

marking all items that have a file name. Elements in the 
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heap are used to record file system structures for 
potentially allocating new heap entities and for pointing 
back into the ROM so that it looks like the file system is 
composed only of a- set of ROM files. 
5 over time , new files. are. allocated or deleted. Kcw • 

files are allocated either from the heap, or directly from 
a memory allocator that is part of computer system 100 and 
the files referenced within .the heap, ram files are 
marked persistent when they are allocated. Files which 
10 were initialized from ROM 103 can be deleted or modified 
by copying the file into RAM 102 and then putting the file 
back into the file system, i.e. / using the same mechanism 
as creating a file originally in RAM. Consequently, the 
Physical memory locations allocated for these "new" files 
15 are also marked as persistent data 112. 

In file system recovery step 250, the file system is 
recovered by retrieving the heap pointer from the boot 
data so that microprocessor 101 can locate files in the 
file system once again. After file system recovery 
20 step 250, recovery boot process continues by initializing 
any remaining operating system data (not shown) . 

Various embodiments of the invention have been 
described. ' The descriptions are intended to be 
■ illustrative, not limitative. Thus, it will be apparent 
25 to one skilled in the art that certain modifications may 
be made to the invention as described without departing 
from the scope of the claims set out below. 
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We claim: 

1* In a computer system including a microprocessor 
and a memory storing persistent data, a method for 
recovery contents of the memory, after a system reset, to 
5- a state that allows user coritrol of the operation * of the 
microprocessor, the method comprising the steps of: 

recovering a portion of fundamental operating 
system data such that said portion of fundamental 
operating system data is stored within the memory in 
10 locations different from locations that stored 

persistent data prior to tjhe recovery; and 
recovering the persistent data. 

2, A method as in claim i f wherein: 

each location in the memory at which data is 
stored is identified by a virtual memory address; and 

the step of recovering fundamental operating 
system data further comprises: 

retaining, after the system reset, the 
virtual, memory address, existent before the 
system reset, of qach of the first set of 
fundamental operating system data; 

translating the virtual memory address of 
each of the first set of fundamental operating 
system data to a physical memory address using 
25 translation data; and 

storing each of the fundamental operating 
system data at a. location in the memory 
corresponding to the physical memory address 
determined during the step of translating. 

30 3 * A method as in Claim 2, wherein the step of 

recovering the fundamental operating system data further 
comprises marking each of the translation data to indicate 
that locations in the memory that store the first set of 
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fundamental operating system data cannot be used to store 
other data. 

4. a method as in Claim 2, wherein: 

persistent. data isi identified, prior to the 
5 system reset, by a tag associated with the virtual 

address of each of the persistent data; and 
the step of recovering persistent data 
comprises: 

identifying virtual memory addresses that 
10 have been tagged; 

translating each of the tagged virtual 
memory addresses to a physical memory address 
using translation data; and 

recovering data stored at the locations in 
the memory corresponding to the physical memory 
addresses such that other data cannot be stored, 
subsequent to the step of recovering persistent 
data, in the locations in the memory at which 
persistent data are stored. 

20 5 - A method as in Claim 4, wherein: 

the step of recovering the fundamental "operating 
system data further comprises marking the translation 
data to indicate that locations in the memory that 
store the first set of fundamental operating system 

25 data cannot be used to store other data; and 

the step of recovering persistent data further 
comprises marking the translation data to indicate 
that locations in the memory that store persistent 
data cannot be used to store other data. 

30 6. a method as in claim 5, further comprising the 

step of constructing a list of physical memory addresses 
corresponding to locations in the memory which can be used 
to store data during the recovery subsequent to the step 
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of constructing, the list including all physical memory 
addresses corresponding to locations in the memory except 
physical memory addresses corresponding to the marked 
translation data, 

7. A method as in Claim 1, wherein: 

each location in the memory at which data is 
stored is identified by a virtual memory address; 

persistent data is identified, prior to the 
system reset, by a tag associated with the virtual 
address of each of the persistent data; and 
the step of .recovering persistent data 
comprises: 

identifying virtual memory addresses that 
have been tagged; 

translating each of the tagged virtual 
memory addresses to a physical memory address 
using translation data; and 

recovering data stored at the locations in 
the memory corresponding to the physical memory 
addresses such thai; other data cannot be stored, 
subsequent to the step of recovering persistent 
data ' in the locations in the memory at which 
persistent data are stored. 

a- a method as in Claim ?, wherein the step of 
25 recovering persistent data further comprises marking the 
■ translation data to indicate that locations in the memory 
that store persistent data cannot be used' to store other 
data. 

9. A method as in Claim i> further comprising the 
30 step of constructing a list of physical memory addresses 
corresponding to locations, in the memory which can be used 
to store data during the recovery subsequent to the step 
of constructing, wherein: 
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physical memory addresses corresponding to 
locations in the memory at which the first set of 
fundamental operating system data are stored are 
excluded from the list; and 
5 physical memory adhresses corresponding to 

locations in the memory at which the peirsistent data 
are stored are excluded from the list. 

10. In a computer system including a microprocessor 
and a memory storing persistent data, a method for 
10 recovery contents of the memoryjl after a system reset, to 
a state that allows user control of the operation of the 
microprocessor, the method comprising the steps of: 

recovering fundamental operating system data 
such that a first set of fundamental operating system 
15 data is stored within the memory and such that none 

of the first set of fundamental operating system data 
is stored in locations in the memory that stored 
persistent data prior tp the system reset; and 

constructing a list of physical memory addresses 
20 for locations in the mejnory which can be used to 

store data during the recovery subsequent to the step 
of constructing wherein: 

physical memory addresses for locations in 
the memory at which the first set of fundamental 
25 operating system data are stored are excluded 

from the list; and 

physical memory addresses for locations in 
the memory , at which the persistent data are 
stored are excluded from the list. 

30 11. A method as in Claim io, wherein: 

each location in the memory at which data is 
stored is identified by a virtual memory address; and 

the step of recovering fundamental operating 
system data further comprises: 
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retaining, after the system reset, the 
virtual memory address, existent before the 
system reset, of e ]ach of the first set of 
fundamental operating system data; 

translating the virtual memory address of . 
each of the first set of fundamental operating 
system data to a physical memory address using 
translation data; and 

storing: each of the first set of 
fundamental operating system data at a location 
in the memory corresponding to the physical 
memory address determined during the step of 
translating. 



12. 



A method as in Claim 11, wherein the step of 
15 recovering the fundamental operating system data further 
comprises marking each of the translation data to indicate 
that locations in the memory that store the first e*t. of 
fundamental operating system, data cannot be used to' store 
other data. 



20 13. A method as in Claim 12, wherein the step of 

constructing further comprises including all physical 
memory addresses corresponding to locations in the memory 
except physical memory addresses corresponding to the 
marked translation data. 

25 14. m a computer system including a microprocessor 

and a memory storing persistent data, a method for 
recovery contents of the memory, after a system reset, to 
a state that allows user control of the operation of the 
microprocessor, the method, comprising the steps. of: 
30 prior to the system reset, marking locations in 

the memory that store persistent data; and 

after the system reset, recovering the 
persistent data. 
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15 . A method as in Claim 14 , wherein: 

each location in the memory at which data is 
stored is identified by a virtual memory address 7 
the step of. Barking locations in the memory 
further comprises associating a tag with the virtual 
memory address corresponding to each location in the 
memory at which persistant data is stored; and 

the step of recovering persistent data further 
comprises: 

identifying virtual memory addresses that 
have been tagged; 

translating the tagged virtual memory 
addresses to physical memory addresses using 
translation data; and . * 

recovering data stored at the locations in 
the memory corresponding to the physical memory 
addresses such that data cannot be stored, 
subsequent to the step of recovering persistent 
data, in the locations in the memory that store 
persistent data. 
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